CN117932457B - Model fingerprint identification method and system based on error classification - Google Patents
Model fingerprint identification method and system based on error classification Download PDFInfo
- Publication number
- CN117932457B CN117932457B CN202410331647.6A CN202410331647A CN117932457B CN 117932457 B CN117932457 B CN 117932457B CN 202410331647 A CN202410331647 A CN 202410331647A CN 117932457 B CN117932457 B CN 117932457B
- Authority
- CN
- China
- Prior art keywords
- sample
- fingerprint
- model
- samples
- error
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012549 training Methods 0.000 claims description 47
- 238000012216 screening Methods 0.000 claims description 25
- 230000006870 function Effects 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000000605 extraction Methods 0.000 claims description 3
- 238000007781 pre-processing Methods 0.000 claims description 3
- 238000013138 pruning Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 11
- 238000004590 computer program Methods 0.000 description 7
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2413—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
- G06F18/24133—Distances to prototypes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0475—Generative networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/0985—Hyperparameter optimisation; Meta-learning; Learning-to-learn
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/18—Legal services
- G06Q50/184—Intellectual property management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Business, Economics & Management (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computing Systems (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Software Systems (AREA)
- Evolutionary Biology (AREA)
- Tourism & Hospitality (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Technology Law (AREA)
- Mathematical Physics (AREA)
- Molecular Biology (AREA)
- Economics (AREA)
- Entrepreneurship & Innovation (AREA)
- Operations Research (AREA)
- Primary Health Care (AREA)
- Human Resources & Organizations (AREA)
- General Business, Economics & Management (AREA)
- Marketing (AREA)
- Strategic Management (AREA)
- Collating Specific Patterns (AREA)
Abstract
The invention provides a model fingerprint identification method and system based on error classification, and relates to the field of model copyright protection. The model fingerprint recognition based on the misclassification first finds a sample of a model in which both the target model and the pirate model (modified model) classify errors. Then, the classification characteristics of the error samples are enhanced by using the GAN network under the precondition that the target model parameters are not changed to generate fingerprint samples and make the classification of the fingerprint samples correct, and meanwhile, the fingerprint samples are ensured to be natural and have small differences from the original samples. Finally, the false sample and the fingerprint sample are used as a query set, and the model ownership is verified by comparing the predictive labels of the false sample and the fingerprint sample. The method not only greatly enhances the concealment of the fingerprint sample, but also improves the robustness of attacks such as model fine tuning, pruning, noise adding and the like.
Description
Technical Field
The invention relates to the technical field of model copyright protection, in particular to a model fingerprint identification method and system based on error classification.
Background
With the rapid development of deep learning, deep neural networks have achieved great success in many artificial intelligence fields, such as image recognition, visual understanding, natural language processing, and the like. Enterprises like microsoft, google and hundred have deployed the DL model in their commercial products to provide higher quality and intelligent services. While deep neural networks are preferred over traditional methods, designing and training a high performance deep model is not a simple task, often requiring extensive labeled training data, extensive computational resources, and expertise to design an excellent framework and suitable learning strategy, and development costs are not affordable to average persons. However, high performance depth models are fraught with tremendous commercial value, and malicious users may use proxy attacks to steal the model by accessing the APIs of the target model, or steal model structures and parameters and modify the model. Thus, the intellectual property rights of the model protected product need to be protected against piracy.
Model watermarking is a common method for protecting intellectual property of models, and watermark information is embedded into the models by modifying model parameters and the like. However, the existing research work shows that the watermark-based model protection method inevitably affects the model performance. However, in the key fields of medical treatment, finance and the like, even 1% precision loss is intolerable, so researchers put forward a model fingerprint identification method. Model fingerprinting does not require modification of the model's training process or fine tuning of model parameters, but rather protects model intellectual property by finding model-specific features. The model fingerprint recognition method firstly searches some samples at the classification boundary of the target model, and then generates the samples into fingerprint samples by a countermeasure sample method and the like. Finally, taking the fingerprint sample and the predicted label thereof as the fingerprint of the target model, and for a suspicious classifier, the model owner inputs the fingerprint sample set by remotely accessing the API to obtain the label thereof. By comparing the suspicious classifier to the predictive labels of the target classifier on the fingerprint samples, the model owner verifies whether the suspicious classifier was pirated from the target classifier.
Although the existing model fingerprint identification method based on the classification boundary realizes the intellectual property protection of the model, the model attack robustness by using the sample on the decision boundary is poor and not robust. And the fingerprint sample generated by using the mode of resisting the sample is low in unnaturalness and hidden and is easy to detect.
Disclosure of Invention
(One) solving the technical problems
Aiming at the defects of the prior art, the invention provides a model fingerprint identification method and a system based on error classification, which solve the problems that the model intellectual property protection is realized by the model fingerprint identification method based on classification boundaries, but the robustness of model attack is poor and is not robust by using samples on decision boundaries.
(II) technical scheme
In order to achieve the above purpose, the invention is realized by the following technical scheme:
In a first aspect, a model fingerprint identification method based on error classification is provided, including:
Inputting a public data set D m, using the public data set D m to access the target model frequently to obtain a predictive tag of the public data set D m, taking the public data set D m with the tag as a primary training set D train, and training a piracy model through the primary training set D train;
Screening samples Z with class errors equally classified by the target model and the pirate model from the original training set D train;
Finding out a sample with the smallest accumulated distance with other samples of the same class in each class of the training set D train as a centroid sample D s;
Screening a batch of samples with the largest distance from the centroid sample from the samples Z with the classification errors as error samples Z e in the query set, and recording a label set of the error samples Z e;
Inputting the error sample Z e into a pre-constructed GAN network, guiding the error sample Z e to be correctly classified, and generating a natural fingerprint sample Z r;
Screening a batch of samples with the smallest distance from a mass center sample from fingerprint samples Z r generated by the GAN network as fingerprint samples Z w in a query set, and recording a tag set of the fingerprint samples;
And respectively inputting the error sample Z e and the fingerprint sample Z w into a pre-constructed suspicious model to obtain a label set of the error sample and a label set of the fingerprint sample.
Preferably, the sample with the smallest accumulated distance from other samples of the same class in each class of the training set D train is found as the centroid sample D s, and the formula is as follows:
where N represents the number of data in k classes, Representing the length of the vector.
Preferably, the inputting the error sample Z e into the pre-constructed GAN network, guiding the error sample Z e to be correctly classified, and generating the natural fingerprint sample Z r specifically includes:
Inputting error sample Z e into generator G in GAN network to obtain fingerprint sample Z r, inputting fingerprint sample Z r into target model, and guiding classification thereof Correct;
Using classification losses And identifying loss/>Weighted combination/>Training the GAN network,/>Is a super parameter that balances the quality of the erroneous sample and the fingerprint sample;
Inputting the fingerprint sample Z r into a discriminator, and guiding to generate a natural fingerprint sample by calculating discrimination loss L d;
Calculation of total loss The back propagation is performed to minimize the total loss function L, and the parameters of the GAN network are iteratively updated to obtain natural fingerprint samples.
Preferably, the classification lossThe formula is as follows:
Wherein the method comprises the steps of Fingerprint sample/>, for object model FIs the guided fingerprint sample/>Classified tag,/>Is Carlini-Wagner loss.
Preferably, said Carlini-Wagner lossThe formula is as follows:
Z is The parameter k encourages the GAN network to generate high confidence samples that are classified as class Y.
Preferably, the discrimination loss L d has the following formula:
。
Preferably, after the error sample Z e and the fingerprint sample Z w are respectively input into the pre-constructed suspicious model to obtain the tag set of the error sample and the tag set of the fingerprint sample, it is determined whether E i'=Ei and W i'=Wi are satisfied, where E i 'represents the tag set of the error sample, E i represents the tag set of the reserved error sample, W i' represents the tag set of the fingerprint sample, and W i represents the tag set of the reserved fingerprint sample, and the formula of calculating the matching rate S is as follows:
Matching rate Greater than 95%, the suspicious model is considered a stolen model.
In a second aspect, there is provided a model fingerprint recognition system based on error classification, comprising:
The preprocessing module is used for inputting a public data set D m, frequently accessing a target model by using the public data set D m to obtain a predictive tag of the public data set D m, taking the public data set D m with the tag as a primary training set D train, and training a piracy model by the primary training set D train;
The first screening module is used for screening samples Z with class errors equally classified by the target model and the pirate model from the original training set D train;
The extraction module is used for finding out a sample with the smallest accumulated distance with other samples of the same class in each class of the training set D train to be used as a centroid sample D s;
The recording module is used for screening a batch of samples with the largest distance from the mass center sample from the samples Z with the classification errors as error samples Z e in the query set, and recording a label set of the error samples Z e;
The generation module is used for inputting the error sample Z e into a pre-constructed GAN network, guiding the error sample Z e to be correctly classified, and generating a natural fingerprint sample Z r;
The second screening module is used for screening a batch of samples with the smallest distance from the centroid sample from fingerprint samples Z r generated by the GAN network as fingerprint samples Z w in the query set, and recording a tag set of the fingerprint samples;
The processing and outputting module is used for respectively inputting the error sample Z e and the fingerprint sample Z w into a pre-constructed suspicious model to obtain a label set of the error sample and a label set of the fingerprint sample.
In a third aspect, there is provided a computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a computing device, cause the computing device to perform the method of the first aspect.
In a fourth aspect, there is provided a computing device comprising:
One or more processors, memory, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs comprising instructions for performing the method of the first aspect.
(III) beneficial effects
The invention discloses a model fingerprint identification method based on error classification, which is different from other model fingerprint identification methods based on classification boundaries, and is characterized in that firstly, error samples are searched in the areas of both the target model and the stolen model, which are in error classification, and classification characteristics of the error samples are enhanced through a GAN network so as to generate fingerprint samples with correct classification. The fingerprint sample is generated by using the GAN network, so that the concealment of the sample is greatly enhanced. Meanwhile, the model modification can be simulated by an attacker, and error samples and fingerprint samples are screened out by utilizing centroid samples, so that the robustness of various model attacks is greatly improved.
Drawings
FIG. 1 is a flow chart of a model fingerprint identification method based on error classification;
FIG. 2 is a schematic diagram of a process of training a piracy model in accordance with an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating a process of screening erroneous samples according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a constructed centroid sample in an embodiment of the invention;
fig. 5 is a block diagram of a GAN network generated fingerprint sample according to an embodiment of the invention;
FIG. 6 is a flow chart of verifying ownership of a model in an embodiment of the invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Examples
As shown in fig. 1, an embodiment of the present invention provides a model fingerprint identification method based on error classification, including:
Inputting a public data set D m, using the public data set D m to access the target model frequently to obtain a predictive tag of the public data set D m, taking the public data set D m with the tag as a primary training set D train, and training a piracy model through the primary training set D train;
Screening samples Z with class errors equally classified by the target model and the pirate model from the original training set D train;
Finding out a sample with the smallest accumulated distance with other samples of the same class in each class of the training set D train as a centroid sample D s;
Screening a batch of samples with the largest distance from the centroid sample from the samples Z with the classification errors as error samples Z e in the query set, and recording a label set of the error samples Z e;
Inputting the error sample Z e into a pre-constructed GAN network, guiding the error sample Z e to be correctly classified, and generating a natural fingerprint sample Z r;
Screening a batch of samples with the smallest distance from a mass center sample from fingerprint samples Z r generated by the GAN network as fingerprint samples Z w in a query set, and recording a tag set of the fingerprint samples;
And respectively inputting the error sample Z e and the fingerprint sample Z w into a pre-constructed suspicious model to obtain a label set of the error sample and a label set of the fingerprint sample.
Specifically, the process of training the piracy model is described in detail with reference to fig. 2, and the piracy model is trained in two ways according to different authorities of an attacker to access the model. One is to steal the model by accessing the target model to obtain tags for the data sets, and training a proxy model similar in function to the target model with the tagged data sets. The other is to directly modify the target model by means of fine tuning, pruning, noise adding and the like. Wherein the structure of the target model is WIDERESNET and the structure of the proxy model is PREACTRESNET.
The process of selecting the wrong sample is described in detail below with reference to fig. 3, and after the piracy model training is completed, the training set D train is used to screen out the sample Z with errors in both the classification of the target model and the piracy model. CIFAR-10 was chosen as training set D train, which consisted of 6 ten thousand color images, including 5 ten thousand training images (10 total classes of 5 thousand images each) and 1 ten thousand test images (10 total classes of 1 thousand images each).
Furthermore, as means of attacking the model are complex and various, the sample Z e with the largest distance from the centroid sample needs to be further screened out to enhance the robustness of the fingerprint. FIG. 4 is a schematic diagram of constructing centroid samples, which are samples in the training set closest to the center of a certain class decision range. Finding out a sample with the smallest accumulated distance with other samples of the same class in each class of the training set D train as a centroid sample D s, wherein the formula is as follows:
where N represents the number of data in k classes, Representing the length of the vector.
Further, the process of generating fingerprint samples by the GAN network is described in detail below with reference to fig. 5. Inputting the error sample Z e into a pre-constructed GAN network, guiding the error sample Z e to be correctly classified, and generating a natural fingerprint sample Z r, wherein the method specifically comprises the following steps of:
Inputting error sample Z e into generator G in GAN network to obtain fingerprint sample Z r, inputting fingerprint sample Z r target model, and guiding classification Correct;
Using classification losses And identifying loss/>Weighted combination/>Training the GAN network,/>Is a super parameter that balances the quality of the erroneous sample and the fingerprint sample;
Inputting the fingerprint sample Z r into a discriminator, and guiding to generate a natural fingerprint sample by calculating discrimination loss L d;
Calculation of total loss The back propagation is performed to minimize the total loss function L, and the parameters of the GAN network are iteratively updated to obtain natural fingerprint samples.
Further, classification lossThe formula is as follows:
Wherein the method comprises the steps of Fingerprint sample/>, for object model FIs the guided fingerprint sample/>Classified tag,/>Is Carlini-Wagner loss.
Further, carlini-Wagner lossThe formula is as follows:
Z is The parameter k encourages the GAN network to generate high confidence samples that are classified as class Y.
Further, the discrimination loss L d is given by the following formula:
。
further, the implementation process of verifying ownership of the model is described in detail below with reference to fig. 6: after the error sample Z e and the fingerprint sample Z w are respectively input into a pre-constructed suspicious model to obtain a tag set of the error sample and a tag set of the fingerprint sample, judging whether E i'=Ei and W i'=Wi are satisfied, wherein E i 'represents the tag set of the error sample, E i represents the tag set of the reserved error sample, W i' represents the tag set of the fingerprint sample, W i retains the tag set of the fingerprint sample, and the calculation matching rate S is as follows:
Matching rate Greater than 95%, the suspicious model is considered a stolen model.
Yet another embodiment of the present invention provides a model fingerprint recognition system based on error classification, including:
The preprocessing module is used for inputting a public data set D m, frequently accessing a target model by using the public data set D m to obtain a predictive tag of the public data set D m, taking the public data set D m with the tag as a primary training set D train, and training a piracy model by the primary training set D train;
The first screening module is used for screening samples Z with class errors equally classified by the target model and the pirate model from the original training set D train;
The extraction module is used for finding out a sample with the smallest accumulated distance with other samples of the same class in each class of the training set D train to be used as a centroid sample D s;
The recording module is used for screening a batch of samples with the largest distance from the mass center sample from the samples Z with the classification errors as error samples Z e in the query set, and recording a label set of the error samples Z e;
The generation module is used for inputting the error sample Z e into a pre-constructed GAN network, guiding the error sample Z e to be correctly classified, and generating a natural fingerprint sample Z r;
The second screening module is used for screening a batch of samples with the smallest distance from the centroid sample from fingerprint samples Z r generated by the GAN network as fingerprint samples Z w in the query set, and recording a tag set of the fingerprint samples;
The processing and outputting module is used for respectively inputting the error sample Z e and the fingerprint sample Z w into a pre-constructed suspicious model to obtain a label set of the error sample and a label set of the fingerprint sample.
Embodiments of the present application may be provided as a method or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The scheme in the embodiment of the application can be realized by adopting various computer languages, such as object-oriented programming language Java, an transliteration script language JavaScript and the like.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (9)
1. The model fingerprint identification method based on the error classification is characterized by comprising the following steps of:
Inputting a public data set D m, using the public data set D m to access the target model frequently to obtain a predictive tag of the public data set D m, taking the public data set D m with the tag as a primary training set D train, and training a piracy model through the primary training set D train;
Screening samples Z with class errors equally classified by the target model and the pirate model from the original training set D train;
Finding out a sample with the smallest accumulated distance with other samples of the same class in each class of the training set D train as a centroid sample D s;
Screening a batch of samples with the largest distance from the centroid sample from the samples Z with the classification errors as error samples Z e in the query set, and recording a label set of the error samples Z e;
Inputting the error sample Z e into a pre-constructed GAN network, guiding the error sample Z e to be correctly classified, and generating a natural fingerprint sample Z r;
Screening a batch of samples with the smallest distance from a mass center sample from fingerprint samples Z r generated by the GAN network as fingerprint samples Z w in a query set, and recording a tag set of the fingerprint samples;
respectively inputting the error sample Z e and the fingerprint sample Z w into a pre-constructed suspicious model to obtain a label set of the error sample and a label set of the fingerprint sample;
After the error sample Z e and the fingerprint sample Z w are respectively input into a pre-constructed suspicious model to obtain a tag set of the error sample and a tag set of the fingerprint sample, judging whether E i'=Ei and W i'=Wi are satisfied, wherein E i 'represents the tag set of the error sample, E i represents the tag set of the reserved error sample, W i' represents the tag set of the fingerprint sample, W i retains the tag set of the fingerprint sample, and the calculation matching rate S is as follows:
Matching rate Greater than 95%, the suspicious model is considered a piracy model.
2. The error classification-based model fingerprint identification method as claimed in claim 1, wherein: the sample with the smallest accumulated distance with other samples of the same class in each class of the training set D train is found out as a centroid sample D s, and the formula is as follows:
where N represents the number of data in k classes, Representing the length of the vector.
3. The error classification-based model fingerprint identification method as claimed in claim 1, wherein: the inputting the error sample Z e into the pre-constructed GAN network, guiding the error sample Z e to be correctly classified, and generating a natural fingerprint sample Z r, which specifically includes:
Inputting error sample Z e into generator G in GAN network to obtain fingerprint sample Z r, inputting fingerprint sample Z r into target model, and guiding classification thereof Correct;
Using classification losses And identifying loss/>Weighted combination/>Training the GAN network,/>Is a super parameter that balances the quality of the erroneous sample and the fingerprint sample;
Inputting the fingerprint sample Z r into a discriminator, and guiding to generate a natural fingerprint sample by calculating discrimination loss L d;
Calculation of total loss The back propagation is performed to minimize the total loss function L, and the parameters of the GAN network are iteratively updated to obtain natural fingerprint samples.
4. A model fingerprint recognition method based on error classification as claimed in claim 3, wherein: said classification lossThe formula is as follows:
Wherein the method comprises the steps of Fingerprint sample/>, for object model FIs the guided fingerprint sample/>Classified tag,/>Is Carlini-Wagner loss.
5. The error classification based model fingerprint identification method of claim 4, wherein: the Carlini-Wagner lossThe formula is as follows:
Z is The parameter k encourages the GAN network to generate high confidence samples that are classified as class Y.
6. The error classification based model fingerprint identification method according to claim 5, wherein: the discrimination loss L d is as follows:
。
7. A model fingerprint recognition system based on error classification, comprising:
The preprocessing module is used for inputting a public data set D m, frequently accessing a target model by using the public data set D m to obtain a predictive tag of the public data set D m, taking the public data set D m with the tag as a primary training set D train, and training a piracy model by the primary training set D train;
The first screening module is used for screening samples Z with class errors equally classified by the target model and the pirate model from the original training set D train;
The extraction module is used for finding out a sample with the smallest accumulated distance with other samples of the same class in each class of the training set D train to be used as a centroid sample D s;
The recording module is used for screening a batch of samples with the largest distance from the mass center sample from the samples Z with the classification errors as error samples Z e in the query set, and recording a label set of the error samples Z e;
The generation module is used for inputting the error sample Z e into a pre-constructed GAN network, guiding the error sample Z e to be correctly classified, and generating a natural fingerprint sample Z r;
The second screening module is used for screening a batch of samples with the smallest distance from the centroid sample from fingerprint samples Z r generated by the GAN network as fingerprint samples Z w in the query set, and recording a tag set of the fingerprint samples;
The processing and outputting module is used for respectively inputting the error sample Z e and the fingerprint sample Z w into a pre-constructed suspicious model to obtain a label set of the error sample and a label set of the fingerprint sample;
After the error sample Z e and the fingerprint sample Z w are respectively input into a pre-constructed suspicious model to obtain a tag set of the error sample and a tag set of the fingerprint sample, judging whether E i'=Ei and W i'=Wi are satisfied, wherein E i 'represents the tag set of the error sample, E i represents the tag set of the reserved error sample, W i' represents the tag set of the fingerprint sample, W i retains the tag set of the fingerprint sample, and the calculation matching rate S is as follows:
Matching rate Greater than 95%, the suspicious model is considered a piracy model.
8. A computer readable storage medium storing one or more programs, wherein the one or more programs comprise instructions, which when executed by a computing device, cause the computing device to perform any of the methods of claims 1-6.
9. A computing device, comprising:
One or more processors, memory, and one or more programs, wherein one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs comprising instructions for performing any of the methods of claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410331647.6A CN117932457B (en) | 2024-03-22 | 2024-03-22 | Model fingerprint identification method and system based on error classification |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410331647.6A CN117932457B (en) | 2024-03-22 | 2024-03-22 | Model fingerprint identification method and system based on error classification |
Publications (2)
Publication Number | Publication Date |
---|---|
CN117932457A CN117932457A (en) | 2024-04-26 |
CN117932457B true CN117932457B (en) | 2024-05-28 |
Family
ID=90757833
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202410331647.6A Active CN117932457B (en) | 2024-03-22 | 2024-03-22 | Model fingerprint identification method and system based on error classification |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117932457B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111240279A (en) * | 2019-12-26 | 2020-06-05 | 浙江大学 | Confrontation enhancement fault classification method for industrial unbalanced data |
CN113298184A (en) * | 2021-06-21 | 2021-08-24 | 哈尔滨工程大学 | Sample extraction and expansion method and storage medium for small sample image recognition |
CN114021670A (en) * | 2022-01-04 | 2022-02-08 | 深圳佑驾创新科技有限公司 | Classification model learning method and terminal |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220180203A1 (en) * | 2020-12-03 | 2022-06-09 | International Business Machines Corporation | Generating data based on pre-trained models using generative adversarial models |
-
2024
- 2024-03-22 CN CN202410331647.6A patent/CN117932457B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111240279A (en) * | 2019-12-26 | 2020-06-05 | 浙江大学 | Confrontation enhancement fault classification method for industrial unbalanced data |
CN113298184A (en) * | 2021-06-21 | 2021-08-24 | 哈尔滨工程大学 | Sample extraction and expansion method and storage medium for small sample image recognition |
CN114021670A (en) * | 2022-01-04 | 2022-02-08 | 深圳佑驾创新科技有限公司 | Classification model learning method and terminal |
Also Published As
Publication number | Publication date |
---|---|
CN117932457A (en) | 2024-04-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Zhao et al. | Seeing isn't believing: Towards more robust adversarial attack against real world object detectors | |
CN113554089B (en) | Image classification countermeasure sample defense method and system and data processing terminal | |
Wang et al. | Data hiding with deep learning: A survey unifying digital watermarking and steganography | |
Li et al. | Defending against model stealing via verifying embedded external features | |
CN112313645B (en) | Learning method and device for data embedded network and testing method and device thereof | |
CN113360912A (en) | Malicious software detection method, device, equipment and storage medium | |
CN112231703A (en) | Malicious software countermeasure sample generation method combined with API fuzzy processing technology | |
WO2023093346A1 (en) | Exogenous feature-based model ownership verification method and apparatus | |
Quiring et al. | Adversarial machine learning against digital watermarking | |
CN113435264A (en) | Face recognition attack resisting method and device based on black box substitution model searching | |
An et al. | Benchmarking the robustness of image watermarks | |
Sharma et al. | Towards secured image steganography based on content-adaptive adversarial perturbation | |
CN114332982A (en) | Face recognition model attack defense method, device, equipment and storage medium | |
Ye et al. | Deep neural networks watermark via universal deep hiding and metric learning | |
CN117932457B (en) | Model fingerprint identification method and system based on error classification | |
Chen et al. | When deep learning meets watermarking: A survey of application, attacks and defenses | |
Canady et al. | Adversarially robust edge-based object detection for assuredly autonomous systems | |
CN115222990A (en) | Meta-learning neural network fingerprint detection method based on self-adaptive fingerprints | |
Dai et al. | SecNLP: An NLP classification model watermarking framework based on multi-task learning | |
Shah et al. | Data-Free Model Extraction Attacks in the Context of Object Detection | |
Zhu et al. | Reliable Model Watermarking: Defending Against Theft without Compromising on Evasion | |
Kazoom et al. | Improving the Robustness of Object Detection and Classification AI models against Adversarial Patch Attacks | |
CN117496118B (en) | Method and system for analyzing steal vulnerability of target detection model | |
Quan | Model Watermarking for Deep Neural Networks of Image Recovery Yuhui Quan and Huan Teng | |
Luo et al. | A watermark-based framework to actively protect deep neural networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |